While a self-signed certificate works for testing, it is not suitable
for a production system. You can either buy a certificate from any
commercial certification authority or get a free one from
Let’s Encrypt.

Note

There’s an optional step later in this guide to get a certificate
from Let’s Encrypt. We can’t do it right now since the Apache
config references a directory yet to be created, which prevents
Apache from starting.

Once Indico is installed, you can run the configuration wizard. You can
keep the defaults for most options, but make sure to use https://YOURHOSTNAME
when prompted for the Indico URL. Also specify valid email addresses when asked
and enter a valid SMTP server Indico can use to send emails. When asked for the
default timezone make sure this is the main time zone used in your Indico instance.

The values for attrs_prefix, mapping and identifier_field
may be different in your environment. Uncomment and set logout_uri
if your SSO infrastructure provides a logout URL (usually used to log
you out from all applications).

If you only want to use SSO, without allowing people to login locally
using username/password, disable it by setting LOCAL_IDENTITIES=False
in indico.conf.

Warning

We assume that emails received from SSO are already validated.
If this is not the case, make sure to disable trusted_email
which will require email validation in Indico when logging in
for the first time. Otherwise people could take over the account
of someone else by using their email address!

Note

The example config is rather simple and only accesses data from
SSO during login. This is not sufficient for advanced features
such as automatic synchronization of names, affiliations and phone
numbers or using centrally managed groups. To use these features,
you need to use e.g. the LDAP identity provider and use the
information received via SSO to retrieve the user details from LDAP.
If you need assistance with this, feel free to ask us on IRC
(#indico @ Freenode) or via e-mail (indico-team@cern.ch).